SSL VPN Verbindung schlägt fehl

Guten Tag,

ein paar meiner Clients können sich nicht mit dem SSL VPN unserer Sophos verbinden. Sie erhalten folgende Fehlermeldung:

Sun Nov 24 14:19:33 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jun 23 2017
Sun Nov 24 14:19:33 2019 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.09
Enter Management Password:
Sun Nov 24 14:19:33 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Nov 24 14:19:33 2019 Need hold release from management interface, waiting...
Sun Nov 24 14:19:33 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Nov 24 14:19:33 2019 MANAGEMENT: CMD 'state on'
Sun Nov 24 14:19:33 2019 MANAGEMENT: CMD 'log all on'
Sun Nov 24 14:19:33 2019 MANAGEMENT: CMD 'hold off'
Sun Nov 24 14:19:33 2019 MANAGEMENT: CMD 'hold release'
Sun Nov 24 14:19:59 2019 MANAGEMENT: CMD 'username "Auth" "Benutzername"'
Sun Nov 24 14:19:59 2019 MANAGEMENT: CMD 'password [...]'
Sun Nov 24 14:19:59 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Sun Nov 24 14:19:59 2019 MANAGEMENT: >STATE:1574601599,RESOLVE,,,,,,
Sun Nov 24 14:19:59 2019 Attempting to establish TCP connection with [AF_INET]IP:443 [nonblock]
Sun Nov 24 14:19:59 2019 MANAGEMENT: >STATE:1574601599,TCP_CONNECT,,,,,,
Sun Nov 24 14:20:00 2019 TCP connection established with [AF_INET]IP:443
Sun Nov 24 14:20:00 2019 TCPv4_CLIENT link local: [undef]
Sun Nov 24 14:20:00 2019 TCPv4_CLIENT link remote: [AF_INET]IP:443
Sun Nov 24 14:20:00 2019 MANAGEMENT: >STATE:1574601600,WAIT,,,,,,
Sun Nov 24 14:20:00 2019 MANAGEMENT: >STATE:1574601600,AUTH,,,,,,
Sun Nov 24 14:20:00 2019 TLS: Initial packet from [AF_INET]IP:443, sid=5ad416a6 0e637baf
Sun Nov 24 14:20:00 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Nov 24 14:20:01 2019 VERIFY OK: depth=1, C=de, L=Stadt, O=Stadt - AöR, CN=Stadt - AöR VPN CA, emailAddress=sophos@wb-Stadt.de
Sun Nov 24 14:20:01 2019 VERIFY X509NAME OK: C=de, L=Stadt, O=Stadt - AöR, CN=wbdproxysrv01.wbStadt.de, emailAddress=E-Mail
Sun Nov 24 14:20:01 2019 VERIFY OK: depth=0, C=de, L=Stadt, O=Stadt - AöR, CN=wbdproxysrv01.wbStadt.de, emailAddress=E-Mail
Sun Nov 24 14:20:02 2019 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Nov 24 14:20:02 2019 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Nov 24 14:20:02 2019 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Nov 24 14:20:02 2019 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Nov 24 14:20:02 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Nov 24 14:20:02 2019 [wbdproxysrv01.wbStadt.de] Peer Connection Initiated with [AF_INET]IP:443
Sun Nov 24 14:20:03 2019 MANAGEMENT: >STATE:1574601603,GET_CONFIG,,,,,,
Sun Nov 24 14:20:04 2019 SENT CONTROL [wbdproxysrv01.wbStadt.de]: 'PUSH_REQUEST' (status=1)
Sun Nov 24 14:20:04 2019 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.154.16.1,route-gateway 10.154.16.1,topology subnet,ping 10,ping-restart 120,redirect-gateway def1,dhcp-option DNS 10.154.16.254,dhcp-option DNS 10.154.9.176,dhcp-option DOMAIN wbStadt.de,ifconfig 10.154.16.5 255.255.255.0'
Sun Nov 24 14:20:04 2019 OPTIONS IMPORT: timers and/or timeouts modified
Sun Nov 24 14:20:04 2019 OPTIONS IMPORT: --ifconfig/up options modified
Sun Nov 24 14:20:04 2019 OPTIONS IMPORT: route options modified
Sun Nov 24 14:20:04 2019 OPTIONS IMPORT: route-related options modified
Sun Nov 24 14:20:04 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Nov 24 14:20:04 2019 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 I=16 HWADDR=d0:c6:37:21:ae:c6
Sun Nov 24 14:20:04 2019 open_tun, tt->ipv6=0
Sun Nov 24 14:20:04 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{EBEDA93A-44CC-4D8A-A1D8-B254741A4FCA}.tap
Sun Nov 24 14:20:04 2019 TAP-Windows Driver Version 9.21
Sun Nov 24 14:20:04 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 10.154.16.0/10.154.16.5/255.255.255.0 [SUCCEEDED]
Sun Nov 24 14:20:04 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.154.16.5/255.255.255.0 on interface {EBEDA93A-44CC-4D8A-A1D8-B254741A4FCA} [DHCP-serv: 10.154.16.254, lease-time: 31536000]
Sun Nov 24 14:20:04 2019 Successful ARP Flush on interface [19] {EBEDA93A-44CC-4D8A-A1D8-B254741A4FCA}
Sun Nov 24 14:20:04 2019 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Nov 24 14:20:04 2019 MANAGEMENT: >STATE:1574601604,ASSIGN_IP,,10.154.16.5,,,,
Sun Nov 24 14:20:08 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Nov 24 14:20:08 2019 C:\Windows\system32\route.exe ADD IP MASK 255.255.255.255 192.168.178.1
Sun Nov 24 14:20:08 2019 Route addition via service succeeded
Sun Nov 24 14:20:08 2019 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.154.16.1
Sun Nov 24 14:20:08 2019 Route addition via service succeeded
Sun Nov 24 14:20:08 2019 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.154.16.1
Sun Nov 24 14:20:08 2019 Route addition via service succeeded
Sun Nov 24 14:20:08 2019 MANAGEMENT: >STATE:1574601608,ADD_ROUTES,,,,,,
Sun Nov 24 14:20:08 2019 C:\Windows\system32\route.exe ADD IP MASK 255.255.255.255 192.168.178.1
Sun Nov 24 14:20:08 2019 ROUTE: route addition failed using service: Das Objekt ist bereits vorhanden.   [status=5010 if_index=16]
Sun Nov 24 14:20:08 2019 Route addition via service failed
Sun Nov 24 14:20:08 2019 Initialization Sequence Completed
Sun Nov 24 14:20:08 2019 MANAGEMENT: >STATE:1574601608,CONNECTED,SUCCESS,10.154.16.5,IP,443,192.168.178.41,53762
Sun Nov 24 14:21:10 2019 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Sun Nov 24 14:21:10 2019 Connection reset, restarting [-1]
Sun Nov 24 14:21:10 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Nov 24 14:21:10 2019 MANAGEMENT: >STATE:1574601670,RECONNECTING,connection-reset,,,,,
Sun Nov 24 14:21:10 2019 Restart pause, 5 second(s)
Sun Nov 24 14:21:15 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Sun Nov 24 14:21:15 2019 MANAGEMENT: >STATE:1574601675,RESOLVE,,,,,,
Sun Nov 24 14:21:27 2019 Attempting to establish TCP connection with [AF_INET]IP:443 [nonblock]
Sun Nov 24 14:21:27 2019 MANAGEMENT: >STATE:1574601687,TCP_CONNECT,,,,,,
Sun Nov 24 14:21:37 2019 TCP: connect to [AF_INET]IP:443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.  
Sun Nov 24 14:21:42 2019 MANAGEMENT: >STATE:1574601702,RESOLVE,,,,,,
Sun Nov 24 14:21:42 2019 MANAGEMENT: >STATE:1574601702,TCP_CONNECT,,,,,,
Sun Nov 24 14:21:52 2019 TCP: connect to [AF_INET]IP:443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.  
Sun Nov 24 14:21:57 2019 MANAGEMENT: >STATE:1574601717,RESOLVE,,,,,,
Sun Nov 24 14:21:57 2019 MANAGEMENT: >STATE:1574601717,TCP_CONNECT,,,,,,
Sun Nov 24 14:22:07 2019 TCP: connect to [AF_INET]IP:443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.  
Sun Nov 24 14:22:12 2019 MANAGEMENT: >STATE:1574601732,RESOLVE,,,,,,
Sun Nov 24 14:22:12 2019 MANAGEMENT: >STATE:1574601732,TCP_CONNECT,,,,,,
Sun Nov 24 14:22:22 2019 TCP: connect to [AF_INET]IP:443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.  

 

Bedeutet diese Meldung, dass wirklich ein Netzlaufwerk gemountet werden soll, welches aber schon gemountet ist?

 

Vielen Dank für eure kommende Hilfe.

 

Mit freundlichen Grüßen
René

  • Hallo René,

     

    neien, diese Meldung mit dem SUBST kannst du getrost ignorieren.

    ABER: du hast ein Problem mit den Routen, bzw. den Netzwerkdefinitionen. Da gibt es das 192.168.178.0 /24 offenbar doppelt oder auf beiden Seiten des Tunnels, das kann nicht funktionieren.

    Das Netz, in das du dich per VPN verbinden willst (Feld: "Lokales Netzwerk"), darf es remote nicht geben. Also das berühmte "Fritzbox" Netzwerk 192.168.178.0 /24 mit dem default gateway 192.168.178.1 darf es nur einmal geben, wenn du routen willst. Ansonsten kannst du nur von der Workstation, auf dem der VPN-Client läuft, Verbindung in das Netzwerk hinter der UTM aufnehmen.

  • In reply to jprusch:

    Hey,

    wir wollen, dass die Beschäftigten nur über die Sophos ins Internet kommen. Dementsprechend wäre der letzte Punkte für uns in Ordnung.

     

     

    Jetzt habe ich noch folgende Meldung erhalten:

     

    Wed Nov 27 05:50:18 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jun 23 2017
    Wed Nov 27 05:50:18 2019 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.09
    Enter Management Password:
    Wed Nov 27 05:50:18 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Wed Nov 27 05:50:18 2019 Need hold release from management interface, waiting...
    Wed Nov 27 05:50:19 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Wed Nov 27 05:50:19 2019 MANAGEMENT: CMD 'state on'
    Wed Nov 27 05:50:19 2019 MANAGEMENT: CMD 'log all on'
    Wed Nov 27 05:50:19 2019 MANAGEMENT: CMD 'hold off'
    Wed Nov 27 05:50:19 2019 MANAGEMENT: CMD 'hold release'
    Wed Nov 27 05:50:48 2019 MANAGEMENT: CMD 'username "Auth" "Benutzername"'
    Wed Nov 27 05:50:48 2019 MANAGEMENT: CMD 'password [...]'
    Wed Nov 27 05:50:48 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
    Wed Nov 27 05:50:48 2019 MANAGEMENT: >STATE:1574830248,RESOLVE,,,,,,
    Wed Nov 27 05:50:48 2019 Attempting to establish TCP connection with [AF_INET]IP:443 [nonblock]
    Wed Nov 27 05:50:48 2019 MANAGEMENT: >STATE:1574830248,TCP_CONNECT,,,,,,
    Wed Nov 27 05:50:49 2019 TCP connection established with [AF_INET]IP:443
    Wed Nov 27 05:50:49 2019 TCPv4_CLIENT link local: [undef]
    Wed Nov 27 05:50:49 2019 TCPv4_CLIENT link remote: [AF_INET]IP:443
    Wed Nov 27 05:50:49 2019 MANAGEMENT: >STATE:1574830249,WAIT,,,,,,
    Wed Nov 27 05:50:49 2019 MANAGEMENT: >STATE:1574830249,AUTH,,,,,,
    Wed Nov 27 05:50:49 2019 TLS: Initial packet from [AF_INET]IP:443, sid=37c19bd4 d0dfebcd
    Wed Nov 27 05:50:49 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Nov 27 05:50:49 2019 VERIFY OK: depth=1, C=de, L=Duisburg, O=Company - AöR, CN=Company - AöR VPN CA, emailAddress=E-Mail
    Wed Nov 27 05:50:49 2019 VERIFY X509NAME OK: C=de, L=Duisburg, O=Company - AöR, CN=wbdproxysrv01.wbduisburg.de, emailAddress=E-Mail
    Wed Nov 27 05:50:49 2019 VERIFY OK: depth=0, C=de, L=Duisburg, O=Company - AöR, CN=wbdproxysrv01.wbduisburg.de, emailAddress=E-Mail
    Wed Nov 27 05:50:50 2019 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Nov 27 05:50:50 2019 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Wed Nov 27 05:50:50 2019 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Nov 27 05:50:50 2019 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Wed Nov 27 05:50:50 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Wed Nov 27 05:50:50 2019 [wbdproxysrv01.wbduisburg.de] Peer Connection Initiated with [AF_INET]IP:443
    Wed Nov 27 05:50:52 2019 MANAGEMENT: >STATE:1574830252,GET_CONFIG,,,,,,
    Wed Nov 27 05:50:53 2019 SENT CONTROL [wbdproxysrv01.wbduisburg.de]: 'PUSH_REQUEST' (status=1)
    Wed Nov 27 05:50:53 2019 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.154.16.1,route-gateway 10.154.16.1,topology subnet,ping 10,ping-restart 120,redirect-gateway def1,dhcp-option DNS 10.154.16.254,dhcp-option DNS 10.154.9.176,dhcp-option DOMAIN wbduisburg.de,ifconfig 10.154.16.2 255.255.255.0'
    Wed Nov 27 05:50:53 2019 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Nov 27 05:50:53 2019 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Nov 27 05:50:53 2019 OPTIONS IMPORT: route options modified
    Wed Nov 27 05:50:53 2019 OPTIONS IMPORT: route-related options modified
    Wed Nov 27 05:50:53 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Nov 27 05:50:53 2019 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 I=16 HWADDR=d0:c6:37:21:ae:c6
    Wed Nov 27 05:50:53 2019 open_tun, tt->ipv6=0
    Wed Nov 27 05:50:53 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{EBEDA93A-44CC-4D8A-A1D8-B254741A4FCA}.tap
    Wed Nov 27 05:50:53 2019 TAP-Windows Driver Version 9.21
    Wed Nov 27 05:50:53 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 10.154.16.0/10.154.16.2/255.255.255.0 [SUCCEEDED]
    Wed Nov 27 05:50:53 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.154.16.2/255.255.255.0 on interface {EBEDA93A-44CC-4D8A-A1D8-B254741A4FCA} [DHCP-serv: 10.154.16.254, lease-time: 31536000]
    Wed Nov 27 05:50:53 2019 Successful ARP Flush on interface [19] {EBEDA93A-44CC-4D8A-A1D8-B254741A4FCA}
    Wed Nov 27 05:50:53 2019 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Wed Nov 27 05:50:53 2019 MANAGEMENT: >STATE:1574830253,ASSIGN_IP,,10.154.16.2,,,,
    Wed Nov 27 05:50:57 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
    Wed Nov 27 05:50:57 2019 C:\Windows\system32\route.exe ADD IP MASK 255.255.255.255 192.168.178.1
    Wed Nov 27 05:50:57 2019 Route addition via service succeeded
    Wed Nov 27 05:50:57 2019 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.154.16.1
    Wed Nov 27 05:50:57 2019 Route addition via service succeeded
    Wed Nov 27 05:50:57 2019 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.154.16.1
    Wed Nov 27 05:50:57 2019 Route addition via service succeeded
    Wed Nov 27 05:50:57 2019 MANAGEMENT: >STATE:1574830257,ADD_ROUTES,,,,,,
    Wed Nov 27 05:50:57 2019 C:\Windows\system32\route.exe ADD IP MASK 255.255.255.255 192.168.178.1
    Wed Nov 27 05:50:57 2019 ROUTE: route addition failed using service: Das Objekt ist bereits vorhanden.   [status=5010 if_index=16]
    Wed Nov 27 05:50:57 2019 Route addition via service failed
    Wed Nov 27 05:50:57 2019 Initialization Sequence Completed
    Wed Nov 27 05:50:57 2019 MANAGEMENT: >STATE:1574830257,CONNECTED,SUCCESS,10.154.16.2,IP,443,192.168.178.41,49808

     

    Die verbindung wird hergestellt, die Ampel wird grün. Es können aber nicht auf Netzlaufwerke oder Outlook zugegriffen werden.

     

    Grüße

  • In reply to René Schmidt1:

    Hallo René,

    ich glaube, die Lösung ist einfach: setz' mal den Haken bei "Automatic firewall rules". Danach sollte es gehen. Ich würde allerdings nicht "Any" bei lokalen Netzwerken eintragen, sondern die richtigen lokalen Netze dort aufführen. Wenn ihr die Sophos als Proxy nutzt, sollte das schon alles sein.

  • In reply to jprusch:

    Hallo Philipp und René,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment.  )

    Maybe I misunderstood, but I thought that René wanted the SSL VPN clients to have to go through Web Protection.  In that case, I would use "Internet IPv4" instead of "Any."  If the clients are allowed to access local networks, I would add them to 'Local Networks' in the VPN SSL Profile.

    René, if you still have a problem, please show logs from both the client and the Sophos.

    MfG - Bob (Bitte auf Deutsch weiterhin.)